This article focuses on an HA environment, where the FortiToken license is registered on the primary unit, and the primary unit is later RMA'ed. 

In the case of setting up a High Availability (HA) cluster with multiple FortiGate units, it is required to register and apply any FortiToken Mobile licenses to the primary unit.

After HA is configured, all tokens are replicated across cluster members. Because of this, only one FortiToken Mobile license is needed per HA cluster.

In a scenario where the primary needs to be RMA'ed, the secondary unit uses the FortiToken licenses assigned to the serial number of the primary unit. When a replacement primary unit is joined to the cluster, it will be considered as a slave, as the secondary unit at that moment has the role of master.

The secondary unit (current Master) will proceed and copy the FortiToken license to the new primary unit, but those FortiTokens will still be registered to the defective primary unit’s serial number.

The assigned token will not be affected; hence, there is no need for the administrator to reprovision the assigned FortiToken, and the users do not need to reactivate the FortiToken. However, there might be an issue in assigning a new token, as the FortiToken license is registered on the new unit. Therefore, after the RMA of the primary unit, the following step can be done to re-register the FortiToken license. 

1. After the RMA of the primary unit, the secondary unit is the new Master.
2. Install the RMA unit. Ensure it did not take the Master role. Wait for HA to be synced.
3. After HA is fully synchronized, failover to the new Master unit - register the EFTM license (20-digit code) from the redemption certificate license.

• Locate the 20-digit code on the redemption certificate for the license: EFTMxxxxxxxx.
• Go to User & Authentication -> FortiTokens -> Create New -> Mobile Token.
• Enter the 20-digit certificate code in the Activation Code box.